Technological Musingshttp://blog.godshell.com/blog/
Musings, ramblings, rants ...enhttp://blog.godshell.com/blog/templates/default/img/s9y_banner_small.pngRSS: Technological Musings - Musings, ramblings, rants ...http://blog.godshell.com/blog/
10021Hacker is not a dirty wordhttp://blog.godshell.com/blog/archives/328-Hacker-is-not-a-dirty-word.html
<p>Have you ever had to fix a broken item and you didn’t have the right parts? Instead of just giving up, you looked around and found something that would work for the time being. Occasionally, you come back later and fix it “the right way,” but more often than not, that fix stays in place indefinitely. Or, perhaps you’ve found a novel new use for a device. It wasn’t built for that purpose, but you figured out that it fit the exact use you had in mind.</p>
<p>Those are the actions of a hacker. No, really. If you look up the definition of a hacker, you get all sort of responses. Wikipedia has three separate entries for the word hacker in relation to technology :</p>
<blockquote>
<p><a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Hacker_(computer_security)']);" href="https://en.wikipedia.org/wiki/Hacker_(computer_security)">Hacker</a> - someone who seeks and exploits weaknesses in a computer system or computer network</p>
<p><a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Hacker_(hobbyist)']);" href="https://en.wikipedia.org/wiki/Hacker_(hobbyist)">Hacker</a> - (someone) who makes innovative customizations or combinations of retail electronic and computer equipment</p>
<p><a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Hacker_(programmer_subculture)']);" href="https://en.wikipedia.org/wiki/Hacker_(programmer_subculture)">Hacker</a> - (someone) who combines excellence, playfulness, cleverness and exploration in performed activities</p>
</blockquote>
<p><a onclick="_gaq.push(['_trackPageview', '/extlink/www.google.com/search?&amp;amp;q=define%3A%20hacker&amp;amp;sourceid=firefox']);" href="https://www.google.com/search?&amp;q=define%3A%20hacker&amp;sourceid=firefox">Google</a> defines it as follows :</p>
<blockquote>
<p>1. a person who uses computers to gain unauthorized access to data.</p>
<p>(informal) an enthusiastic and skillful computer programmer or user.</p>
<p>2. a person or thing that hacks or cuts roughly.</p>
</blockquote>
<p>And there are more. What’s interesting here is that depending on where you look, the word <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Hacker_%28term%29']);" href="https://en.wikipedia.org/wiki/Hacker_%28term%29">hacker</a> means different things. It has become a pretty contentious word, mostly because the media has, over time, used it to describe the actions of a particular type of person. Specifically, hacker is often used to describe the criminal actions of a person who gains unauthorized access to computer systems. But make no mistake, the media is completely wrong on this and they’re using the word improperly.</p>
<p>Sure, the person who broke into that computer system and stole all of that data is most likely a hacker. But, first and foremost, that person is a <strong>criminal</strong>. Being a hacker is a lifestyle and, in many cases, a career choice. Much like being a lawyer or a doctor is a career choice. Why then is hacker used as a negative term to identify criminal activity and not doctor or lawyer? There are plenty of instances where doctors, lawyers, and people from a wide variety of professions have indulged in criminal activity.</p>
<p><a onclick="_gaq.push(['_trackPageview', '/extlink/www.k3r3n3.com/']);" href="http://www.k3r3n3.com/">Keren Elazari</a> <a onclick="_gaq.push(['_trackPageview', '/extlink/www.ted.com/talks/keren_elazari_hackers_the_internet_s_immune_system#t-172521']);" href="https://www.ted.com/talks/keren_elazari_hackers_the_internet_s_immune_system#t-172521">spoke</a> in 2014 at TED about hackers, and their importance in our society. During her talk she discusses the role of hackers in our society, noting that there are hackers who use their skills for criminal activity, but many more who use their skills to better the world. From hacktivist groups like <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Anonymous_%28group%29']);" href="https://en.wikipedia.org/wiki/Anonymous_%28group%29">Anonymous</a> to hackers like <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Barnaby_Jack']);" href="https://en.wikipedia.org/wiki/Barnaby_Jack">Barnaby Jack</a>, these people have changed the world in positive ways, helping to identify weaknesses in systems to weaknesses in governments and laws. In her own words :</p>
<blockquote>
<p><span class="talk-transcript__para__text"><span id="t-932489" class="talk-transcript__fragment" data-time="932489">My years in the hacker world</span> <span id="t-934500" class="talk-transcript__fragment" data-time="934500">have made me realize</span> <span id="t-936142" class="talk-transcript__fragment" data-time="936142">both the problem and the beauty about hackers:</span> <span id="t-941875" class="talk-transcript__fragment" data-time="941875">They just can't see something broken in the world</span> <span id="t-945033" class="talk-transcript__fragment" data-time="945033">and leave it be.</span> <span id="t-946680" class="talk-transcript__fragment" data-time="946680">They are compelled</span> <span id="t-948360" class="talk-transcript__fragment talk-transcript__fragment--current" data-time="948360">to either exploit it or try and change it,</span> <span id="t-951890" class="talk-transcript__fragment" data-time="951890">and so they find the vulnerable aspects</span> <span id="t-955806" class="talk-transcript__fragment" data-time="955806">in our rapidly changing world.</span> <span id="t-957940" class="talk-transcript__fragment" data-time="957940">They make us, they force us to fix things</span> <span id="t-962282" class="talk-transcript__fragment" data-time="962282">or demand something better,</span> <span id="t-964001" class="talk-transcript__fragment" data-time="964001">and I think we need them</span> <span id="t-965995" class="talk-transcript__fragment" data-time="965995">to do just that,</span> <span id="t-968201" class="talk-transcript__fragment" data-time="968201">because after all, it is not information</span> <span id="t-971470" class="talk-transcript__fragment" data-time="971470">that wants to be free, it's us.</span></span></p>
</blockquote>
<p>It’s time to stop letting the media use this word improperly. It’s time to take back what is ours. Hacker has long been a term used to describe those we look up to, those we seek to emulate. It is a term we hold dear, a term we seek to defend. When Loyd Blankenship was arrested in 1986, he wrote what has become known as the <a onclick="_gaq.push(['_trackPageview', '/extlink/www.godshell.com/hackers-manifesto']);" href="http://www.godshell.com/hackers-manifesto">Hacker’s Manifesto</a>. This document, often misunderstood, describes the struggle many of us went through, and the joy of discovering something we could call our own. Yes, we’re often misunderstood. Yes, we’ve been marginalized for a long time. But times have changed since then and our culture is strong and growing.</p>
Network Enhanced Telepathyhttp://blog.godshell.com/blog/archives/327-Network-Enhanced-Telepathy.html
<p>I’ve recently been reading <a onclick="_gaq.push(['_trackPageview', '/extlink/wiredforwar.pwsinger.com/']);" href="http://wiredforwar.pwsinger.com/">Wired for War</a> by P.W. Singer and one of the concepts he mentions in the book is Network Enhanced Telepathy. This struck me as not only something that sounds incredibly interesting, but something that we’ll probably see hit mainstream in the next 5-10 years.</p>
<p>According to Wikipedia, <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Telepathy']);" href="https://en.wikipedia.org/wiki/Telepathy">telepathy</a> is "<em>the purported transmission of information from one person to another without using any of our known sensory channels or physical interaction.</em>” In other words, you can think *at* someone and communicate. The concept that Singer talks about in the book isn’t quite as “mystical” since it uses technology to perform the heavy lifting. In this case, technology brings fantasy into reality.</p>
<p>Scientists have <a onclick="_gaq.push(['_trackPageview', '/extlink/www.foxnews.com/science/2014/03/28/know-what-youre-thinking-scientists-find-way-to-read-minds/']);" href="http://www.foxnews.com/science/2014/03/28/know-what-youre-thinking-scientists-find-way-to-read-minds/">already</a> <a onclick="_gaq.push(['_trackPageview', '/extlink/www.iflscience.com/brain/scientists-develop-brain-decoder-can-read-your-inner-thoughts']);" href="http://www.iflscience.com/brain/scientists-develop-brain-decoder-can-read-your-inner-thoughts">developed</a> methods to “read” thoughts from the human mind. These methods are by no means perfect, but they are a start. As we’ve seen with technology across the board from computers to robotics, electric cars to rockets, technological jumps may ramp up slowly, but then they rocket forward at a deafening pace. What seems like a trivial breakthrough at the moment may well lead to the next step in human evolution.</p>
<p>What Singer describes in the book is one step further. If we can read the human mind, and presumably write back to it, then adding a network in-between, allowing communication between minds, is obvious. Thus we have Network Enhanced Telepathy. And, of course, with that comes all of the baggage we associate with networks today. Everything from connectivity issues and lag to security problems.</p>
<p>The security issues associated with something like this range from inconvenient to downright horrifying. If you thought social engineering was bad, wait until we have a direct line straight into someone’s brain. Today, security issues can result in stolen data, denial of service issues, and, in some rare instances, destruction of property. These same issues may exist with this new technology as well.</p>
<p>Stolen data is pretty straightforward. Could an exploit allow an attacker to arbitrarily read data from someone’s mind? How would this work? Could they pinpoint the exact data they want, or would they only have access to the current “thoughts” being transmitted? While access to current thoughts might not be as bad as exact data, it’s still possible this could be used to steal important data such as passwords, secret information, etc. Pinpointing exact data could be absolutely devastating. Imagine, for a moment, what would happen if an attacker was able to pluck your innermost secrets straight out of your mind. Everyone has something to hide, whether that’s a deep dark secret, or maybe just the image of themselves in the bathroom mirror.</p>
<p>I’ve seen social engineering talks wherein the presenter talks about a technique to interrupt a person, mid-thought, and effectively create a <a onclick="_gaq.push(['_trackPageview', '/extlink/www.social-engineer.org/framework/psychological-principles/human-buffer-overflow/']);" href="http://www.social-engineer.org/framework/psychological-principles/human-buffer-overflow/">buffer overflow</a> of sorts, allowing the social engineer to insert their own directions. Taken to the next level, could an attacker perform a similar attack via a direct link to a person’s mind? If so, what access would the attacker then attain? Could we be looking at the next big thing in brainwashing? Merely insert the new programming, directly into the user.</p>
<p>How about Denial of Service attacks or physical destruction? Could an attacker cause physical damage in their target? Is a connection to the mind enough access to directly modify the cognitive functions of the target? Could an attacker induce something like <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Locked-in_syndrome']);" href="https://en.wikipedia.org/wiki/Locked-in_syndrome">Locked-In syndrome</a> in a user? What about blocking specific functions, preventing the user from being able to move limbs, or speak? Since the brain performs regulatory control over the body, could an attacker modify the temperature, heart rate, or even induce sensations in their target? These are truly scary scenarios and warrant serious thought and discussion.</p>
<p>Technology is racing ahead at breakneck speeds and the future is an exciting one. These technologies could allow humans to take that next evolutionary step. But as with all technology, we should be looking at it with a critical eye. As technology and biology become more and more intertwined, it is essential that we tread carefully and be sure to address potential problems long before they become a reality.</p>
Suspended Visible Masses of Small Frozen Water Crystalshttp://blog.godshell.com/blog/archives/246-Suspended-Visible-Masses-of-Small-Frozen-Water-Crystals.html
<p class="whiteline">The Cloud, hailed as a panacea for all your IT related problems. Need storage? Put it in the Cloud. Email? Cloud. Voice? Wireless? Logging? Security? The Cloud is your answer. The Cloud can do it all.</p>
<p class="whiteline">But what does that mean? How is it that all of these problems can be solved by merely signing up for various cloud services? What <strong>is</strong> the cloud, anyway?</p>
<p class="whiteline">Unfortunately, defining what the cloud actually is remains problematic. It means many things to many people. The cloud can be something "simple" like extra storage space or email. <a onclick="_gaq.push(['_trackPageview', '/extlink/drive.google.com']);" href="http://drive.google.com">Google</a>, <a onclick="_gaq.push(['_trackPageview', '/extlink/www.dropbox.com']);" href="http://www.dropbox.com">Dropbox</a>, and others offer a service that allows you to store files on their servers, making them available to you from "anywhere" in the world. Anywhere, of course, if the local government and laws allow you to access the services there. These services are often free for a small amount of space.</p>
<p class="whiteline"><a onclick="_gaq.push(['_trackPageview', '/extlink/www.gmail.com']);" href="http://www.gmail.com">Google</a>, <a onclick="_gaq.push(['_trackPageview', '/extlink/www.outlook.com']);" href="http://www.outlook.com">Microsoft</a>, <a onclick="_gaq.push(['_trackPageview', '/extlink/www.yahoo.com']);" href="http://www.yahoo.com">Yahoo</a>, and many, many others offer email services, many of them "free" for personal use. In this instance, though, free can be tricky. Google, for instance, has algorithms that "read" your email and display advertisements based on the results. So while you may not exchange money for this service, you do exchange a level of privacy.</p>
<p class="whiteline">Cloud can also be pure computing power. Virtual machines running a variety of operating systems, available for the end-user to access and run whatever software they need. Companies like <a onclick="_gaq.push(['_trackPageview', '/extlink/aws.amazon.com/']);" href="https://aws.amazon.com/">Amazon</a> have turned this into big business, offering a full range of back-end services for cloud-based servers. Databases, storage, raw computing power, it's all there. In fact, they have developed APIs allowing additional services to be spun up on-demand, augmenting existing services.</p>
<p class="whiteline">As time goes on, more and more services are being added to the cloud model. The temptation to drop self-hosted services and move to the cloud is constantly increasing. The incentives are definitely there. Cloud services are affordable, and there's no need for additional staff for support. All the benefits with very little of the expense. End-users have access to services they may not have had access to previously, and companies can save money and time by moving services they use to the cloud.</p>
<p class="whiteline">But as with any service, self-hosted or not, there are questions you should be asking. The answers, however, are sometimes a bit hard to get. But even without direct answers, there are some inferences you can make based on what the service is and what data is being transferred.</p>
<p class="whiteline">Data being accessible virtually anywhere, at any time, is one of major draws of cloud services. But there are downsides. What happens when the service is inaccessible? For a self-hosted service, you have control and can spend the necessary time to bring the service back up. In some cases, you may have the ability to access some or all of the data, even without the service being fully restored. When you surrender your data to the cloud, you are at the mercy of the service provider. Not all providers are created equal and you cannot expect uniform performance and availability across all providers. This means that in the event of an outage, you are essentially helpless. Keeping local backups is definitely an option, but oftentimes you’re using the cloud so that you don’t need those local backups.</p>
<p class="whiteline">Speaking of backups, is the cloud service you’re using responsible for backups? Will they guarantee that your data will remain safe? What happens if you accidentally delete a needed file or email? These are important issues that come up quite often for a typical office. What about the other side of the question? If the service is keeping backups, are those backups secure? Is there a way to delete data, permanently, from the service? Accidents happen, so if you’ve uploaded a file containing sensitive information, or sent/received an email with sensitive information, what recourse do you have? Dropbox keeps <a onclick="_gaq.push(['_trackPageview', '/extlink/www.google.com/url?sa=t&amp;amp;rct=j&amp;amp;q=&amp;amp;esrc=s&amp;amp;source=web&amp;amp;cd=3&amp;amp;cad=rja&amp;amp;uact=8&amp;amp;ved=0CEwQFjAC&amp;amp;url=https%3A%2F%2Fwww.dropbox.com%2Fen%2Fhelp%2F11&amp;amp;ei=PmMDVai1EMKIsQSZ2oDoCA&amp;amp;usg=AFQjCNG1m4S3ouUmMV4DiukBZs6GQiCc3A&amp;amp;sig2=8E7EegbI2nqdh7nQY2BvQQ&amp;amp;bvm=bv.88198703,d.cWc']);" href="https://www.google.com/url?sa=t&amp;rct=j&amp;q=&amp;esrc=s&amp;source=web&amp;cd=3&amp;cad=rja&amp;uact=8&amp;ved=0CEwQFjAC&amp;url=https%3A%2F%2Fwww.dropbox.com%2Fen%2Fhelp%2F11&amp;ei=PmMDVai1EMKIsQSZ2oDoCA&amp;usg=AFQjCNG1m4S3ouUmMV4DiukBZs6GQiCc3A&amp;sig2=8E7EegbI2nqdh7nQY2BvQQ&amp;bvm=bv.88198703,d.cWc">snapshots</a> of all uploaded data for 30 days, but there doesn’t seem to be an official way to permanently delete a file. There are a number of articles out there claiming that this is possible, just follow the steps they provide, but can you be completely certain that the data is gone?</p>
<p class="whiteline">What about data security? Well, let's think about the data you're sending. For an email service, this is a fairly simple answer. Every email goes through that service. In fact, your email is stored on the remote server, and even deleted messages may hang around for a while. So if you're using email for anything sensitive, the security of that information is mostly out of your control. There's always the option of using some sort of encryption, but web-based services rarely support that. So data security is definitely an issue, and not necessarily an issue you have any control over. And remember, even the “big guys” make <a onclick="_gaq.push(['_trackPageview', '/extlink/tech.slashdot.org/story/15/03/13/1648227/google-error-leaks-website-owners-personal-information?utm_source=slashdot&amp;amp;utm_medium=twitter']);" href="http://tech.slashdot.org/story/15/03/13/1648227/google-error-leaks-website-owners-personal-information?utm_source=slashdot&amp;utm_medium=twitter">mistakes</a>. Fishnet Security has an excellent <a onclick="_gaq.push(['_trackPageview', '/extlink/www.fishnetsecurity.com/6labs/blog/top-security-questions-ask-your-cloud-provider']);" href="https://www.fishnetsecurity.com/6labs/blog/top-security-questions-ask-your-cloud-provider">list of questions</a> you can ask cloud providers about their security stance.</p>
<p class="whiteline">Liability is an issue as well, though you may not initially realize it. Where, exactly, is your data stored? Do you know? Can you find out? This can be an important issue depending on what your industry is, or what you’re storing. If your data is being stored outside of your home country, it may be subject to the laws and regulations of the country it’s stored in.</p>
<p class="whiteline">There are a lot of aspects to deal with when thinking about cloud services. Before jumping into the fray, do your homework and make sure you’re comfortable with giving up control to a third party. Once you give up control, it may not be that easy to reign it back in.</p>
Boldly Gonehttp://blog.godshell.com/blog/archives/326-Boldly-Gone.html
<blockquote>I have been and always shall be your friend.</blockquote><p><img alt="Spock LLAP" src="https://blog.godshell.com/blog/uploads/Spock - LLAP.jpg" style="display:block; margin-left:auto; margin-right:auto; width:252px" title="Spock - LLAP.jpg" /></p><p>It's a sad day. We've lost a dear friend today, someone we grew up with, someone so iconic that he inspired generations. At the age of 83, Leonard Nimoy passed away. He will be missed.</p><p>It's amazing to realize how much someone you've never met can mean to you. People larger than life, people who will live on in memory forever. I've been continually moved for hours at the outpouring of grief and love online for Leonard. He has meant so much for so many, and his memory will live on forever.</p><blockquote>Of all the souls I have encountered in my travels, his was the most... human.</blockquote><div class="serendipity_center"><iframe allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/vtQUePN5y40" width="560"></iframe></div>
Will online retailers be the next major breach target?http://blog.godshell.com/blog/archives/325-Will-online-retailers-be-the-next-major-breach-target.html
<p class="whiteline">In the past year we have seen <a onclick="_gaq.push(['_trackPageview', '/extlink/krebsonsecurity.com/category/data-breaches/']);" href="http://krebsonsecurity.com/category/data-breaches/">several</a> high-profile breaches of brick and mortar retailers. Estimates range in the tens of millions of credit cards stolen in each case. For the most part, these retailers have weathered the storm with virtually no ill effects. In fact, it seems the same increase in stock price that TJ Maxx saw after their breach <a onclick="_gaq.push(['_trackPageview', '/extlink/www.businessweek.com/articles/2014-05-23/why-investors-just-dont-care-about-data-breaches']);" href="http://www.businessweek.com/articles/2014-05-23/why-investors-just-dont-care-about-data-breaches">still rings true</a> today. A sad fact indeed.</p><p class="whiteline">Regardless, the recent slew of breaches has finally prompted the credit card industry to act. They have declared that 2015 will be the year that <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Chip_and_PIN']);" href="https://en.wikipedia.org/wiki/Chip_and_PIN">chip and pin</a> becomes the standard for all card-present transactions. And while chip and pin isn't a silver bullet, and attackers will eventually find new and innovative ways to circumvent it, it has proven to be quite effective in Europe where it has been the standard for years.</p><p class="whiteline">Chip and pin changes how the credit card information is transmitted to the processor. Instead of the credit card number being read, in plain text, off of the magnetic strip, the card reader initiates an encrypted communication between the chip on the card and the card reader. The card details are encrypted and sent, along with the user's PIN, to the card processor for verification. It is this encrypted communication between the card and, ultimately, the card processor that results in increased security. In short, the attack vectors used in recent breaches is difficult, if not impossible to pull off with these new readers. Since the information is not decrypted until it hits the card processor, attackers can't simply skim the information at the card reader. There are, of course, other <a onclick="_gaq.push(['_trackPageview', '/extlink/heartland.org/policy-documents/chip-and-pin-broken']);" href="http://heartland.org/policy-documents/chip-and-pin-broken">attacks</a>, though these have not yet proven widespread.</p><p class="whiteline">At it's heart, though, chip and pin only "fixes" one type of credit card transaction, card-present transactions. That is, transactions in which the card holder physically scans their card via a card reader. The other type of transaction, card-not-present transactions, are unaffected by chip and pin. In fact, the move to chip and pin may result in putting online transactions at greater risk. With brick and mortar attacks gone, attackers will move to online retailers. Despite the standard SSL encryption used between shoppers and online retailers, there are plenty of ways to steal credit card data. In fact, one might argue that a single attack could net more card numbers in a shorter time since online retailers often store credit card data as a convenience for the user.</p><p class="whiteline">It seems that online fraud, though expected, is being largely ignored for the moment. After all, how are we going to protect that data without supplying card readers to every online shopper? Online solutions such as <a onclick="_gaq.push(['_trackPageview', '/extlink/www.businessweek.com/articles/2014-05-23/why-investors-just-dont-care-about-data-breaches']);" href="http://www.businessweek.com/articles/2014-05-23/why-investors-just-dont-care-about-data-breaches">PayPal</a>, <a onclick="_gaq.push(['_trackPageview', '/extlink/payments.amazon.com/']);" href="https://payments.amazon.com/">Amazon Payments</a>, and others mitigate this problem slightly, but we still have to rely on the security they've put in place to protect cardholder data. Other solutions such as <a onclick="_gaq.push(['_trackPageview', '/extlink/www.apple.com/iphone-6/apple-pay/']);" href="https://www.apple.com/iphone-6/apple-pay/">Apple Pay</a> and <a onclick="_gaq.push(['_trackPageview', '/extlink/www.google.com/wallet']);" href="http://www.google.com/wallet">Google Wallet</a> seemingly combine on and offline protections, but the central data warehouse remains. The problem seems to be the security of the card number itself. And losing this data can be a huge burden for many users as they have to systematically update payment information as the result of a possible breach. This can often lead to late payments, penalties, and more.</p><p class="whiteline">One possible alternative is to reduce the impact a single breach can cause. What if the data that retailers stored was of little or no value to an attacker while still allowing the retailer a way to simplify payments for the shopper? What if a breach at a retailer only affected that retailer and resulted in virtually no impact on the user? A solution like this may be just what we need.</p><p class="whiteline">Instead of providing a retailer your credit card number and CVV, the retailer is provided a simple token. That token, coupled with a private retailer-specific token should be all that is needed to verify a transaction. Tokens can and should be different for each retailer. If a retailer is compromised, new tokens can be generated, reducing the impact on the user significantly. Attackers who successfully breach a retailer can only submit transactions if they can obtain both the private retailer token as well as the user token. And if processors put simple access-control lists in place, it increases the difficulty an attacker encounters when trying to push through a fraudulent transaction.</p><p class="whiteline">Obtaining tokens can be handled by redirecting a user to a payment gateway for their initial transaction. The payment gateway verifies the user and their credit card data, and then passes the generated token back to the retailer. This is similar to how retailers using existing online payment processors such as Paypal and Amazon Payments already handle payments. The credit card data never passes through the retailer network. The number of locations credit card data is stored reduces significantly as well. This, in turn, means that attackers have fewer targets and while this increases the risk a payment processor network incurs, one can argue that these networks should already have significant defenses in place.</p><p class="break">This is only one possible solution for online payments. There are many other solutions out there being presented by both security and non-security folks. But there seems to be no significant movement on an online solution. Will it take several high-profile online breaches to convince credit card companies that a solution is needed? Or will credit card companies move to protect retailers and card holders ahead of attackers redirecting their efforts? If history is any indication, get used to having your card re-issued several times a year for the foreseeable future.</p>
Bleeding Heart Securityhttp://blog.godshell.com/blog/archives/324-Bleeding-Heart-Security.html
<p>Unless you've been living under a rock the past few days, you've probably heard about the <a onclick="_gaq.push(['_trackPageview', '/extlink/heartbleed.com/']);" href="http://heartbleed.com/">Heartbleed</a> vulnerability in <a onclick="_gaq.push(['_trackPageview', '/extlink/openssl.org/']);" href="http://openssl.org/">OpenSSL</a> that was disclosed on Monday, April 7th. Systems and network administrators across the globe have spent the last few days testing for this vulnerability, patching systems, and probably rocking in the corner while crying. Yes, it's <a onclick="_gaq.push(['_trackPageview', '/extlink/xkcd.com/1353/']);" href="https://xkcd.com/1353/">that bad</a>. What's more, there are a number of reports that intelligence agencies may <a onclick="_gaq.push(['_trackPageview', '/extlink/www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013']);" href="https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013">have</a> <a onclick="_gaq.push(['_trackPageview', '/extlink/www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html']);" href="http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html">known</a> about this vulnerability for some time now.</p>
<p>The quick and dirty is that a buffer overflow bug in the code allows an attacker to remotely read memory of an affected system in 64k chunks. The only memory accessible to an attacker would be memory used by the process being connected to, but, depending on the process, there may be a LOT of useful data in there. For instance, Yahoo was <a onclick="_gaq.push(['_trackPageview', '/extlink/twitter.com/markloman/status/453502888447586304']);" href="https://twitter.com/markloman/status/453502888447586304">leaking</a> usernames and passwords until late Tuesday evening.</p>
<p>The fabulous web comic, xkcd, <a onclick="_gaq.push(['_trackPageview', '/extlink/xkcd.com/1354']);" href="https://xkcd.com/1354">explains</a> how the attack works in layman's terms. If you're interested in the real <a onclick="_gaq.push(['_trackPageview', '/extlink/blog.didierstevens.com/2014/04/09/heartbleed-packet-capture/']);" href="http://blog.didierstevens.com/2014/04/09/heartbleed-packet-capture/">nitty gritty</a> of this vulnerability, though, there's an excellent <a onclick="_gaq.push(['_trackPageview', '/extlink/blog.ioactive.com/2014/04/bleeding-hearts.html']);" href="http://blog.ioactive.com/2014/04/bleeding-hearts.html">write-up</a> on the IOActive Labs blog. If you're the type that likes to play, you can find proof-of-concept code <a onclick="_gaq.push(['_trackPageview', '/extlink/gist.github.com/takeshixx/10107280']);" href="https://gist.github.com/takeshixx/10107280">here</a>. And let's not forget about the client side, there's <a onclick="_gaq.push(['_trackPageview', '/extlink/github.com/Lekensteyn/pacemaker']);" href="https://github.com/Lekensteyn/pacemaker">PoC code</a> for that as well.</p>
<p>OpenSSL versions 1.0.1 through 1.0.1f as well as the 1.0.2 beta code are affected. The folks at OpenSSL released version 1.0.1g on Monday which fixed the problem. Or, at least, the current problem. There's a <a onclick="_gaq.push(['_trackPageview', '/extlink/article.gmane.org/gmane.os.openbsd.misc/211963']);" href="http://article.gmane.org/gmane.os.openbsd.misc/211963">bit</a> of <a onclick="_gaq.push(['_trackPageview', '/extlink/www.tedunangst.com/flak/post/heartbleed-vs-mallocconf']);" href="http://www.tedunangst.com/flak/post/heartbleed-vs-mallocconf">chatter</a> about <a onclick="_gaq.push(['_trackPageview', '/extlink/www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse']);" href="http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse">other</a> issues that may be lurking in the OpenSSL codebase.</p>
<p>Now that a few days have passed, however, what remains to be done? After all, everyone has patched their servers, right? Merely patching doesn't make the problem disappear, though. Vulnerable code is out there and mistakes can be made. For the foreseeable future, you should be regularly scanning your network for vulnerable systems with something like Nmap. The Nmap NSE for Heartbleed scanning is already <a onclick="_gaq.push(['_trackPageview', '/extlink/nmap.org/nsedoc/scripts/ssl-heartbleed.html']);" href="http://nmap.org/nsedoc/scripts/ssl-heartbleed.html">available</a>. Alternatively, you can use something like Nagios to regularly <a onclick="_gaq.push(['_trackPageview', '/extlink/exchange.nagios.org/directory/Plugins/Security/check_heartbleed/details']);" href="http://exchange.nagios.org/directory/Plugins/Security/check_heartbleed/details">check</a> your existing servers.</p>
<p>Patching immediately may not have prevented a breach, either. Since Heartbleed doesn't leave much of a trace beyond some oddities that your IDS may have seen, there's virtually no way to know if anything has been taken. The best way to deal with this is to just go ahead and assume that your private keys are compromised and start replacing them. New keys, new certs. It's painful, it's slow, but it's <a onclick="_gaq.push(['_trackPageview', '/extlink/dankaminsky.com/2014/04/12/bloody-cert-certified/']);" href="http://dankaminsky.com/2014/04/12/bloody-cert-certified/">necessary</a>.</p>
<p>For end users, the best thing you can do is change your passwords. I'm not aware of any &quot;big&quot; websites that have not patched by now, so changing passwords should be relatively safe. However, that said, <a onclick="_gaq.push(['_trackPageview', '/extlink/www.wired.com/2014/04/heartbleed/']);" href="http://www.wired.com/2014/04/heartbleed/">Wired</a> and <a onclick="_gaq.push(['_trackPageview', '/extlink/www.engadget.com/2014/04/09/how-to-avoid-heartbleed/?']);" href="http://www.engadget.com/2014/04/09/how-to-avoid-heartbleed/?">Engadget</a> have some of the best advice I've seen about this. In short, change your passwords today, then change them again in a few weeks. If you're really paranoid, change them a third time in about a month. By that time, any site that is going to patch will have already patched.</p>
<p>Unfortunately, I think the fun is just beginning. I expect we'll start seeing a number of related attacks. Phishing attacks are the most likely in the beginning. If private keys were compromised, then attackers can potentially impersonate websites, including their SSL certificates. This would likely involve a DNS poisoning attack, but could also be accomplished by compromising a user's local system and setting a hosts file entry. Certificate revocation is a potential defense against this, but since many browsers have CRL checks <a onclick="_gaq.push(['_trackPageview', '/extlink/news.ycombinator.com/item?id=7556909']);" href="https://news.ycombinator.com/item?id=7556909">disabled</a> by default, it probably won't help. Users will have to watch what they click, where they go, and what software they run. Not much different from the advice given already.</p>
<p>Another possible source of threats are consumer devices. As Bruce Schneier <a onclick="_gaq.push(['_trackPageview', '/extlink/www.schneier.com/blog/archives/2014/04/heartbleed.html']);" href="https://www.schneier.com/blog/archives/2014/04/heartbleed.html">put it</a>, &quot;An upgrade path that involves the trash, a visit to Best Buy, and a credit card isn't going to be fun for anyone.&quot; What he's referring to are the many embedded devices we use on a daily basis that may never receive updates to protect the end user. In other words, that router you purchased from the discount store? That may be affected and unless you replace it, you'll continue to be vulnerable. Fortunately, most of these devices aren't configured, by default, to face the Internet, so there may yet be hope.</p>
<p>The Heartbleed vulnerability is a serious contender for the worst security vulnerability ever released. I'm not sure of another vulnerability that exposes so many systems to such a degree as this one. Network and systems administrators will be cleaning up after this one for a while.</p>
Looking into the SociaVirtualistic Futurehttp://blog.godshell.com/blog/archives/323-Looking-into-the-SociaVirtualistic-Future.html
<p class="whiteline">Let's get this out of the way. One of the primary reasons I'm writing this is in response to a request by <a onclick="_gaq.push(['_trackPageview', '/extlink/twitter.com/ID_AA_Carmack/status/449594072244568064']);" href="https://twitter.com/ID_AA_Carmack/status/449594072244568064">John Carmack</a> for coherent commentary about the recent acquisition of <a onclick="_gaq.push(['_trackPageview', '/extlink/www.oculusvr.com/']);" href="http://www.oculusvr.com/">Oculus VR</a> by Facebook. My hope is that he does, in fact, read this and maybe drop a comment in response. &lt;fanboy&gt;Hi John!&lt;/fanboy&gt; I've been a huge Carmack fan since the early ID days, so please excuse the fanboyism.</p><p class="whiteline">And I *just* saw the news that Michael Abrash has <a onclick="_gaq.push(['_trackPageview', '/extlink/www.oculusvr.com/blog/introducing-michael-abrash-oculus-chief-scientist/']);" href="http://www.oculusvr.com/blog/introducing-michael-abrash-oculus-chief-scientist/">joined</a> Oculus as well, which is also incredibly exciting. Abrash is an Assembly GOD. &lt;Insert more fanboyism here /&gt;</p><p class="whiteline">Ok, on to the topic a hand. The Oculus Rift is a VR headset that got its public start with a <a onclick="_gaq.push(['_trackPageview', '/extlink/www.kickstarter.com/']);" href="https://www.kickstarter.com/">Kickstarter</a> campaign in September of 2012. It blew away it's meager goal of $250,000 and raked in almost $2.5 Million. For a mere $275 and some patience, contributors would receive an unassembled prototype of the Oculus Rift. Toss in another $25 and you received an assembled version.</p><p class="whiteline">But what is the Oculus Rift? According to the <a onclick="_gaq.push(['_trackPageview', '/extlink/www.kickstarter.com/projects/1523379957/oculus-rift-step-into-the-game?ref=live']);" href="https://www.kickstarter.com/projects/1523379957/oculus-rift-step-into-the-game?ref=live">Kickstarter campaign</a> :</p><p class="whiteline"><blockquote>Oculus Rift is a new virtual reality (VR) headset designed specifically for video games that will change the way you think about gaming forever. With an incredibly wide field of view, high resolution display, and ultra-low latency head tracking, the Rift provides a truly immersive experience that allows you to step inside your favorite game and explore new worlds like never before.</blockquote></p><p class="whiteline">In short, the Rift is the culmination of every VR lover's dreams. Put a pair of these puppies on and magic appears before your eyes.</p><p class="whiteline">For myself, Rift was interesting, but probably not something I could ever use. Unfortunately, I suffer from <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Amblyopia']);" href="https://en.wikipedia.org/wiki/Amblyopia">Amblyopia</a>, or Lazy Eye as it's commonly called. I'm told I don't see 3D. Going to 3D movies pretty much confirms this for me since nothing ever jumps out of the screen. So as cool as VR sounds to me, I would miss out on the 3D aspect. Though it might be possible to "tweak" the headset and adjust the angles a bit to force my eyes to see 3D. I'm not sure if that's good for my eyes, though.</p><p class="whiteline">At any rate, the Rift sounds like an amazing piece of technology. In the past year I've watched a number of videos demonstrating the capabilities of the Rift. From the <a onclick="_gaq.push(['_trackPageview', '/extlink/hak5.org/']);" href="http://hak5.org/">Hak5</a> crew to <a onclick="_gaq.push(['_trackPageview', '/extlink/benheck.com/']);" href="http://benheck.com/">Ben Heck</a>, the reviews have all been positive.</p><p class="whiteline">And then I <a onclick="_gaq.push(['_trackPageview', '/extlink/www.oculusvr.com/blog/john-carmack-joins-oculus-as-cto/']);" href="http://www.oculusvr.com/blog/john-carmack-joins-oculus-as-cto/">learned</a> that John Carmack joined Oculus. I think that was about the time I realized that Oculus was the real deal. John is a visionary in so many different ways. One can argue that modern 3D gaming is largely in part to the work he did in the field. In more recent years, his visions have aimed a bit higher with his rocket company, <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Armadillo_Aerospace']);" href="https://en.wikipedia.org/wiki/Armadillo_Aerospace">Armadillo Aerospace</a>. Armadillo started <a onclick="_gaq.push(['_trackPageview', '/extlink/arstechnica.com/science/2013/08/john-carmacks-8m-pipe-dream-meets-reality-armadillo-aerospace-on-life-support/']);" href="http://arstechnica.com/science/2013/08/john-carmacks-8m-pipe-dream-meets-reality-armadillo-aerospace-on-life-support/">winding down</a> last year, right about the time that John joined Oculus, leaving him plenty of time to deep dive into a new venture.</p><p class="whiteline">For anyone paying attention, Oculus was recently <a onclick="_gaq.push(['_trackPageview', '/extlink/www.ign.com/articles/2014/03/25/facebook-to-acquire-oculus-vr-for-2-billion']);" href="http://www.ign.com/articles/2014/03/25/facebook-to-acquire-oculus-vr-for-2-billion">acquired</a> by Facebook for a mere $2 Billion. Since the announcement, I've seen a lot of hatred being tossed around on Twitter. Some of this hatred seems to be Kickstarter backers who are under some sort of delusion that makes them believe they have a say in anything they back. I see this a lot, especially when a project is taking longer than they believe it should.</p><p class="whiteline">I can easily write several blog posts on my personal views about this, but to sum it up quickly, if you back a project, you're contributing to make something a reality. Sometimes that works, sometimes it doesn't. But Kickstarter clearly states that you're merely contributing financial backing, not gaining a stake in a potential product and/or company. Nor are you guaranteed to receive the perks you've contributed towards. So suck it up and get over it. You never had control to begin with.</p><p class="whiteline">I think Notch, of Minecraft fame, wrote a really good <a onclick="_gaq.push(['_trackPageview', '/extlink/notch.net/2014/03/virtual-reality-is-going-to-change-the-world/']);" href="http://notch.net/2014/03/virtual-reality-is-going-to-change-the-world/">post</a> about his feeling on the subject. I think he has his head right. He contributed, did his part, and though it's not working out the way he wanted, he's still willing to wish the venture luck. He may not want to play in that particular sandbox, but that's his choice.</p><p class="whiteline">VR in a social setting is fairly interesting. In his first Oculus blog post, Michael Abrash mentioned reading <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Neal_Stephenson']);" href="https://en.wikipedia.org/wiki/Neal_Stephenson">Neal Stephenson's</a> incredible novel, <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Snow_crash']);" href="https://en.wikipedia.org/wiki/Snow_crash">Snow Crash</a>. Snow Crash provided me with a view of what virtual reality might bring to daily life. Around the same time, the movie <a onclick="_gaq.push(['_trackPageview', '/extlink/www.imdb.com/title/tt0104692/?ref_=fn_al_tt_1']);" href="http://www.imdb.com/title/tt0104692/?ref_=fn_al_tt_1">Lawnmower Man</a> was released. Again, VR was brought into the forefront of my mind. But despite the promises of books and movies, VR remained elusive.</p><p class="whiteline">More recently, I read a novel by Ernest Cline, <a onclick="_gaq.push(['_trackPageview', '/extlink/readyplayerone.com/']);" href="http://readyplayerone.com/">Ready Player One</a>. Without giving too much away, the novel centers around a technology called the OASIS. Funnily enough, the OASIS is, effectively, a massive social network that users interact with via VR rigs. OASIS was the first thing I thought about when I heard about the Facebook / Oculus acquisition.</p><p class="whiteline">For myself, my concern is Facebook. Despite being a massively popular platform, I think users still distrust Facebook quite a bit. I lasted about 2 weeks on Facebook before having my account deleted. I understand their business model and I have no interest in taking part. Unfortunately, I'm starting to miss out on some aspects of Internet life since some sites are requiring Facebook accounts for access. Ah well, I guess they miss out on me as well.</p><p class="whiteline">I have a lot of distrust in Facebook at the moment. They wield an incredible amount of information about users and, to be honest, they're nowhere near transparent enough for me to believe what they say. Google is slightly better, but there's some distrust there as well. But more than just the distrust, I'm afraid that Facebook is going to take something amazing and destroy it in a backwards attempt to monetize it. I'm afraid that Facebook is the IOI of this story. (It's a Ready Player One reference. Go read it, you can thank me later)</p><p class="whiteline">Ultimately, I have no stake in this particular game. At least, not yet, anyway. Maybe I'm wrong and Facebook makes all the right moves. Maybe they become a power for good and are able to bring VR to the masses. Maybe people like Carmack and Abrash can protect Oculus and fend off any fumbling attempts Facebook may make at clumsy monetization. I'm not sure how this will play out, only time will tell.</p><p class="whiteline">How will we know how things are going? Well, for one, watching his Facebook interacts with this new property will be pretty telling. I think if Facebook is able to sit in the shadows and watch rather than kicking in the front door and taking over, maybe Oculus will have a chance to thrive. Watching what products are ultimately released by Oculus will be another telling aspect. While I fully expect that Oculus will add some sort of Facebook integration into the SDK over time, I'm also hoping that they continue to provide an SDK for standalone applications.</p><p class="break">I sincerely wish Carmack, Abrash, and the rest of the Oculus team the best. I think they're in a position where they can make amazing things happen, and I'm eager to see what comes next.</p>
Keepin' TCP Alivehttp://blog.godshell.com/blog/archives/322-Keepin-TCP-Alive.html
<p class="whiteline">I was debugging an odd network issue lately that turned out to have a pretty simple explanation. A client on the network was intermittently experiencing significant delays in accessing the network. Upon closer inspection, it turned out that prior to the delay, the client was being left idle for long periods of time. With this additional information it was pretty easy to identify that there was likely a connection between the client and server that was being torn down for being idle.</p>
<p class="whiteline">So in the end, the cause of the problem itself was pretty simple to identify. The fix, however, is more of a conundrum. The obvious answer is to adjust the timers and prevent the connection from being torn down. But what timers should be adjusted? There are the <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Keepalive']);" href="https://en.wikipedia.org/wiki/Keepalive">keepalive</a> timers on the client, the keepalive timers on the server, and the idle teardown timers on the firewall in the middle.</p>
<p class="whiteline">TCP keepalive handling varies between operating systems. If we look at the three major operating systems, Linux, Windows, and OS X, then we can make the blanket statement that, by default, keepalives are sent after two hours of idle time. But, most firewalls seem to have a default TCP teardown timer of one hour. These defaults are not conducive to keeping idle connections alive.</p>
<p class="break">The optimal scenario for timeouts is for the clients to have a keepalive timer that fires at an interval lower than that of the idle tcp timeout on the firewall. The actual values to use, as well as which devices should be changed, is up for debate. The firewall is clearly the easier point at which to make such a change. Typically there are very few firewall devices that would need to be updated as compared to the larger number of client devices. Additionally, there will likely be fewer firewalls added to the network over time, so ensuring that timers are properly set is much easier. On the other hand, the defaults that firewalls are generally configured with have been chosen specifically by the vendor for legitimate reasons. So perhaps the clients should conform to the setting on the firewall? What is the optimal solution?</p>
<p class="break">And why would we want to allow idle connections anyway? After all, if a connection is idle, it's not being used. Clearly, any application that needed a connection to remain open would send some sort of keepalive, right? Is there a valid reason to allow these sorts of connections for an extended period of time?</p>
<p class="break">As it turns out, there are valid reasons for connections to remain active, but idle. For instance, database connections are often kept for longer periods of time for performance purposes. The TCP handshake can take a considerable amount of time to perform as opposed to the simple matter of retrieving data from a database. So if the database connection remains established, additional data can be retrieved without the overhead of TCP setup. But in these instances, shouldn't the application ensure that keepalives are sent so that the connection is not prematurely terminated by an idle timer somewhere along the data path? Well, yes. Sort of. Allow me to explain.</p>
<p class="break">When I first discovered the source of the network problem we were seeing, I chalked it up to lazy programming. While it shouldn't take much to add a simple keepalive system to a networked application, it is extra work. As it turns out, however, the answer isn't quite that simple. All three major operating systems, Windows, Linux, and OS X, all have kernel level mechanisms for TCP keepalives. Each OS has a slightly different take on how keepalive timers should work.</p>
<blockquote>
<p class="break">Linux has <a onclick="_gaq.push(['_trackPageview', '/extlink/tldp.org/HOWTO/TCP-Keepalive-HOWTO/usingkeepalive.html']);" href="http://tldp.org/HOWTO/TCP-Keepalive-HOWTO/usingkeepalive.html">three parameters</a> related to tcp keepalives :</p>
<dl>
<dt>tcp_keepalive_time</dt>
<dd>The interval between the last data packet sent (simple ACKs are not considered data) and the first keepalive probe; after the connection is marked to need keepalive, this counter is not used any further</dd>
<dt>tcp_keepalive_intvl</dt>
<dd>The interval between subsequential keepalive probes, regardless of what the connection has exchanged in the meantime</dd>
<dt>tcp_keepalive_probes</dt>
<dd>The number of unacknowledged probes to send before considering the connection dead and notifying the application layer</dd>
</dl>
<p class="break">OS X works quite similar to Linux, which makes sense since they're both *nix variants. OS X has <a onclick="_gaq.push(['_trackPageview', '/extlink/www.unix.com/man-page/freebsd/4/TCP/']);" href="http://www.unix.com/man-page/freebsd/4/TCP/">four parameters</a> that can be set.</p>
<dl>
<dt>keepidle</dt>
<dd>Amount of time, in milliseconds, that the connection must be idle before keepalive probes (if enabled) are sent. The default is 7200000 msec (2 hours).</dd>
<dt>keepintvl</dt>
<dd>The interval, in milliseconds, between keepalive probes sent to remote machines, when no response is received on a keepidle probe. The default is 75000 msec.</dd>
<dt>keepcnt</dt>
<dd>Number of probes sent, with no response, before a connection is dropped. The default is 8 packets.</dd>
<dt>always_keepalive</dt>
<dd>Assume that SO_KEEPALIVE is set on all TCP connections, the kernel will periodically send a packet to the remote host to verify the connection is still up.</dd>
</dl>
<p class="break">Windows acts very differently from Linux and OS X. Again, there are <a onclick="_gaq.push(['_trackPageview', '/extlink/blogs.technet.com/b/nettracer/archive/2010/06/03/things-that-you-may-want-to-know-about-tcp-keepalives.aspx?Redirected=true']);" href="http://blogs.technet.com/b/nettracer/archive/2010/06/03/things-that-you-may-want-to-know-about-tcp-keepalives.aspx?Redirected=true">three parameters</a>, but they perform entirely different tasks. All three parameters are registry entries.</p>
<dl>
<dt>KeepAliveInterval</dt>
<dd>This parameter determines the interval between TCP keep-alive retransmissions until a response is received. Once a response is received, the delay until the next keep-alive transmission is again controlled by the value of KeepAliveTime. The connection is aborted after the number of retransmissions specified by TcpMaxDataRetransmissions have gone unanswered.</dd>
<dt>KeepAliveTime</dt>
<dd>The parameter controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote system is still reachable and functioning, it acknowledges the keep-alive transmission. Keep-alive packets are not sent by default. This feature may be enabled on a connection by an application.</dd>
<dt>TcpMaxDataRetransmissions</dt>
<dd>This parameter controls the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The Retransmission Timeout (RTO) value is dynamically adjusted, using the historical measured round-trip time (Smoothed Round Trip Time) on each connection. The starting RTO on a new connection is controlled by the TcpInitialRtt registry value.</dd>
</dl>
</blockquote>
<p class="break">There's a pretty good reference page with information on how to set these parameters that can be found <a onclick="_gaq.push(['_trackPageview', '/extlink/www.gnugk.org/keepalive.html']);" href="http://www.gnugk.org/keepalive.html">here</a>.</p>
<p class="break">We still haven't answered the question of optimal settings. Unfortunately, there doesn't seem to be a correct answer. The defaults provided by most firewall vendors seem to have been chosen to ensure that the firewall does not run out of resources. Each connection through the firewall must be tracked. As a result, each connection uses up a portion of memory and CPU. Since both memory and CPU are finite resources, administrators must be careful not to exceed the limits of the firewall platform.</p>
<p class="break">There is some good news. Firewalls have had a one hour tcp timeout timer for quite a while. As time has passed and new revisions of firewall hardware are released, the CPU has become more powerful and the amount of memory in each system has grown. The default one hour timer, however, has remained in place. This means that modern firewall platforms are much better prepared to handle an increase in the number of connections tracked. Ultimately, the firewall platform must be monitored and appropriate action taken if resource usage becomes excessive.</p>
<p class="break">My recommendation would be to start by setting the firewall tcp teardown timer to a value slightly higher than that of the clients. For most networks, this would be slightly over two hours. The firewall administrator should monitor the number of connections tracked on the firewall as well as the resources used by the firewall. Adjustments should be made as necessary.</p>
<p class="break">If longer lasting idle connections are unacceptable, then a slightly different tactic can be used. The firewall teardown timer can be set to a level comfortable to the administrator of the network. Problematic clients can be updated to send keepalive packets at a shorter interval. These changes will likely only be necessary on servers. Desktop systems don't have the same need as servers for long-term establishment of idle connections.</p>
Becoming your own CAhttp://blog.godshell.com/blog/archives/321-Becoming-your-own-CA.html
<p class="whiteline">SSL, as I mentioned in a previous <a href="http://blog.godshell.com/blog/archives/319-SSL-Security.html">blog</a> entry, has some issues when it comes to trust. But regardless of the problems with SSL, it is a necessary part of the security toolchain. In certain situations, however, it is possible to overcome these trust issues.</p>
<p class="whiteline">Commercial providers are not the only entities that are capable of being a <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Certificate_authority']);" href="https://en.wikipedia.org/wiki/Certificate_authority">Certificate Authority</a>. In fact, anyone can become a CA and the tools to do so are available for free. Becoming your own CA is a fairly painless process, though you might want to brush up on your openSSL skills. And lest you think you can just start signing certificates and selling them to third parties, it's not quite that simple. The well-known certificate authorities have worked with browser vendors to have their root certificates added as part of the browser installation process. You'll have to convince the browser vendors that they need to add your root certificate as well. Good luck.</p>
<p class="whiteline">Having your own CA provides you the means to import your own root certificate into your browser and use it to validate certificates you use within your network. You can use these SSL certificates for more than just websites as well. <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Ldap']);" href="https://en.wikipedia.org/wiki/Ldap">LDAP</a>, <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/RADIUS']);" href="https://en.wikipedia.org/wiki/RADIUS">RADIUS</a>, <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/SMTP']);" href="https://en.wikipedia.org/wiki/SMTP">SMTP</a>, and other common applications use standard SSL certificates for encrypting traffic and validating remote connections. But as mentioned above, be aware that unless a remote user has a copy of your root certificate, they will be unable to validate the authenticity of your signed certificates.</p>
<p class="whiteline">Using certificates signed by your own CA can provide you that extra trust level you may be seeking. Perhaps you configured your mail server to use your certificate for the POP and IMAP protocols. This makes it more difficult for an attacker to masquerade as either of those services without obtaining your signing certificate so they can create their own. This is especially true if you configure your mail client such that your root certificate is the only certificate that can be used for validation.</p>
<p class="whiteline">Using your own signed certificates for internal, non-public facing services provides an even better use-case. Attacks such as <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/DNS_spoofing']);" href="https://en.wikipedia.org/wiki/DNS_spoofing">DNS cache poisoning</a> make it possible for attackers to trick devices into using the wrong address for an intended destination. If these services are configured to only use your certificates and reject connection attempts from peers with invalid certificates, then attackers will only be able to impersonate the destination if they can somehow obtain a valid certificate signed by your signing certificate.</p>
<p class="whiteline">Sound good? Well, how do we go about creating our own root certificate and all the various machinery necessary to make this work? Fortunately, all of the necessary tools are open-source and part of most <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Linux']);" href="https://en.wikipedia.org/wiki/Linux">Linux</a> distributions. For the purposes of this blog post, I will be explaining how this is accomplished using the <a onclick="_gaq.push(['_trackPageview', '/extlink/www.centos.org/']);" href="https://www.centos.org/">CentOS</a> 6.x Linux distribution. I will also endeavor to break down each command and explain what each parameter does. Much of this information can be found in the man pages for the various commands.</p>
<p class="whiteline">OpenSSL is installed as part of a base CentOS install. Included in the install is a directory structure in /etc/pki. All of the necessary tools and configuration files are located in this directory structure, so instead of reinventing the wheel, we'll use the existing setup.</p>
<p class="whiteline">To get started, edit the default openssl.cnf configuration file. You can find this file in /etc/pki/tls. There are a few options you want to change from their defaults. Search for the following headers and change the options listed within.</p>
<blockquote>[CA_default]<br />
default_md = sha256<br /> <br />
[req]<br />
default_bits = 4096<br />
default_md = sha256</blockquote>
<ul>
<li>default_md : This option defined the default message digest to use. Switching this to sha256 result in a stronger message digest being used.</li>
<li>default_bits : This option defines the default key size. 2048 is generally considered a minimum these days. I recommend setting this to 4096.</li>
</ul>
<p class="whiteline">Once the openssl.cnf file is set up, the rest of the process is painless. First, switch into the correct directory.</p>
<blockquote>cd /etc/pki/tls/misc</blockquote>
<p class="whiteline">Next, use the CA command to create a new CA.</p>
<blockquote>
<pre>[root@localhost misc]# ./CA -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 4096 bit RSA private key
...................................................................................................................................................................................................................................................++
.......................................................................++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:MyState
Locality Name (eg, city) [Default City]:MyCity
Organization Name (eg, company) [Default Company Ltd]:My Company Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:cert.example.com
Email Address []:certadmin@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 17886042129551798347 (0xf837fc8d719b304b)
Validity
Not Before: Feb 13 18:37:14 2014 GMT
Not After : Feb 12 18:37:14 2017 GMT
Subject:
countryName = US
stateOrProvinceName = MyState
organizationName = My Company Inc.
commonName = cert.example.com
emailAddress = certadmin@example.com
X509v3 extensions:
X509v3 Subject Key Identifier:
14:FC:14:BC:F4:A5:3E:6B:0C:58:3B:DF:3B:26:35:46:A0:BE:EC:F1
X509v3 Authority Key Identifier:
keyid:14:FC:14:BC:F4:A5:3E:6B:0C:58:3B:DF:3B:26:35:46:A0:BE:EC:F1
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Feb 12 18:37:14 2017 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated</pre>
</blockquote>
<p class="whiteline">And that's about it. The root certificate is located in /etc/pki/CA/cacert.pem. This file can be made public without compromising the security of your system. This is the same certificate you'll want to import into your browser, email client, etc. in order to validate and certificates you may sign.</p>
<p class="whiteline">Now you can start signing certificates. First you'll need to create a CSR on the server you want to install it on. The following command creates both the private key and the CSR for you. I recommend using the server name as the name of the CSR and the key.</p>
<blockquote>openssl req -newkey rsa:4096 -keyout www.example.com.key -out www.example.com.csr</blockquote>
<ul>
<li>openssl : The openSSL command itself</li>
<li>req : This option tells openSSL that we are performing a certificate signing request (CSR) operation.</li>
<li>-newkey : This option creates a new certificate request and a new private key. It will prompt the user for the relevant field values. The rsa:4096 argument indicates that we want to use the RSA algorithm with a key size of 4096 bits.</li>
<li>-keyout : This gives the filename to write the newly created private key to.</li>
<li>-out : This specifies the output filename to write to.</li>
</ul>
<blockquote>
<pre>[root@localhost misc]# openssl req -newkey rsa:4096 -keyout www.example.com.key -out www.example.com.csr
Generating a 4096 bit RSA private key
.....................................................................................................................++
..........................................................................................................................................................................................................................................................................................................................................................................................................++
writing new private key to 'www.example.com.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:MyState
Locality Name (eg, city) [Default City]:MyCity
Organization Name (eg, company) [Default Company Ltd]:My Company Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []:hostmaster@example.com</pre>
</blockquote>
<p class="whiteline">Once you have the CSR, copy it over to the server you're using to sign certificates. Unfortunately, the existing tools don't make it easy to merely name the CSR you're trying to sign, so we need to create our own tool. First, create a new directory to put the CSRs in.</p>
<blockquote>mkdir /etc/pki/tls/csr</blockquote>
<p class="whiteline">Next, create the sign_cert.sh script in the directory we just created. This file needs to be executable.</p>
<blockquote>
<pre>#!/bin/sh
# Revoke last year's certificate first :
# openssl ca -revoke cert.crt
DOMAIN=$1
YEAR=`date +%Y`
rm -f newreq.pem
ln -s $DOMAIN.csr newreq.pem
/etc/pki/tls/misc/CA -sign
mv newcert.pem $DOMAIN.$YEAR.crt</pre>
</blockquote>
<p class="whiteline">That's all you need to start signing certificates. Place the CSR you transferred from the other server into the csr directory and use script we just created to sign it.</p>
<blockquote>
<pre>[root@localhost csr]# ./sign_cert.sh www.example.com
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 17886042129551798348 (0xf837fc8d719b304c)
Validity
Not Before: Feb 13 18:48:55 2014 GMT
Not After : Feb 13 18:48:55 2015 GMT
Subject:
countryName = US
stateOrProvinceName = MyState
localityName = MyCity
organizationName = My Company Inc.
commonName = www.example.com
emailAddress = hostmaster@example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3A:EE:2B:3A:73:A6:C3:5C:39:90:EA:85:3F:DA:71:33:7B:91:4D:7F
X509v3 Authority Key Identifier:
keyid:14:FC:14:BC:F4:A5:3E:6B:0C:58:3B:DF:3B:26:35:46:A0:BE:EC:F1
Certificate is to be certified until Feb 13 18:48:55 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 17886042129551798348 (0xf837fc8d719b304c)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=MyState, O=My Company Inc., CN=cert.example.com/emailAddress=certadmin@example.com
Validity
Not Before: Feb 13 18:48:55 2014 GMT
Not After : Feb 13 18:48:55 2015 GMT
Subject: C=US, ST=MyState, L=MyCity, O=My Company Inc., CN=www.example.com/emailAddress=hostmaster@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:d9:5a:cc:87:f0:e5:1e:6f:a0:25:cd:fe:36:64:
6c:68:ae:2f:3e:7e:93:93:a4:69:6f:f1:28:c1:c2:
4d:5f:3c:3a:61:2e:4e:f0:90:89:54:48:d6:03:83:
fb:ac:1e:7c:9a:e8:be:cf:c9:8f:93:41:27:3e:1b:
66:63:db:a1:54:cb:f7:1d:0b:71:bc:5f:80:e1:30:
e4:28:14:68:1c:09:ba:d0:aa:d3:e6:2b:24:cd:21:
67:99:dc:8b:7a:2c:94:d0:ed:8e:02:5f:2f:52:06:
09:0e:8a:b7:bf:64:e8:d7:bf:94:94:ad:80:34:57:
32:89:51:00:fe:fd:8c:7d:17:35:4c:c7:5f:5b:58:
f4:97:9b:21:42:9e:a9:6c:86:5f:f4:35:98:a5:81:
62:9d:fa:15:07:9d:29:25:38:2b:5d:22:74:58:f8:
58:56:1c:e9:65:a3:62:b5:a7:66:17:95:12:21:ca:
82:12:90:b6:8a:8d:1f:79:e8:5c:f4:f9:6c:3a:44:
f9:3a:3f:29:0d:2e:bf:51:98:9f:58:21:e5:d9:ee:
78:54:ad:5a:a2:6f:d1:85:9a:bc:b9:21:92:e8:76:
80:b8:0f:96:77:9a:99:5e:3b:06:bb:6f:da:1c:6e:
f2:10:16:69:ba:2b:57:c8:1a:cc:b6:e4:0c:1d:b2:
a6:b7:b9:6c:37:2e:80:13:46:a1:46:c3:ca:d6:2b:
cd:f7:ba:38:98:74:15:7f:f1:67:03:8e:24:89:96:
55:31:eb:d8:44:54:a5:11:04:59:e6:73:59:42:ed:
aa:a3:37:13:ab:63:ab:ef:61:65:0a:af:2f:71:91:
23:40:7d:f8:e8:a1:9d:cf:3f:e5:33:d9:5f:d2:4d:
06:d0:2c:70:59:63:06:0f:2a:59:ae:ae:12:8d:f4:
6c:fd:b2:33:76:e8:34:0f:1f:24:91:2a:a8:aa:1b:
11:8a:0b:86:f3:67:b8:be:b7:a0:06:02:4a:76:ef:
dd:ed:c4:a9:03:a1:8c:b0:39:9d:35:98:7f:04:1c:
24:8a:1c:7c:6f:35:56:71:ee:b5:36:b7:3f:14:04:
eb:48:a1:4f:6f:8e:43:7c:8b:36:4a:bf:ba:e9:8b:
d9:38:0c:76:24:e9:a3:38:bf:4e:86:fd:31:4d:c3:
6f:16:07:09:dd:d8:6b:0b:9d:4d:97:eb:1f:92:21:
b2:a5:f9:d8:55:61:85:d2:99:97:bc:27:12:be:eb:
55:86:ee:1f:f5:6f:a7:c5:64:2f:4e:c2:67:a3:52:
97:7a:d9:66:89:05:6a:59:ed:69:7b:22:10:2b:a1:
14:4e:5d:b8:f0:21:e9:11:d0:25:ae:bc:05:2b:c3:
db:ad:cf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3A:EE:2B:3A:73:A6:C3:5C:39:90:EA:85:3F:DA:71:33:7B:91:4D:7F
X509v3 Authority Key Identifier:
keyid:14:FC:14:BC:F4:A5:3E:6B:0C:58:3B:DF:3B:26:35:46:A0:BE:EC:F1
Signature Algorithm: sha256WithRSAEncryption
ca:66:b2:55:64:e6:40:a5:85:19:11:66:0d:63:89:fb:0d:3a:
0c:ec:fd:cb:5c:93:44:1e:3f:1b:ca:f5:3d:85:ab:0a:0b:dc:
f3:18:1d:1f:ec:85:ff:f3:82:52:9e:c7:12:19:07:e9:6a:82:
bd:32:f6:d1:19:b2:b7:09:1c:34:d7:89:45:7e:51:4d:42:d6:
4e:78:b6:39:b3:76:58:f8:20:57:b3:d8:7b:e0:b3:2f:ce:9f:
a2:59:de:f6:31:f2:09:1c:91:3b:7f:97:61:cb:11:a4:b4:73:
ab:47:64:e8:93:07:98:d5:47:75:8d:9a:8f:a3:8f:e8:f4:42:
7e:b8:1b:e8:36:72:13:93:f9:a8:cc:6d:b4:85:a7:af:94:fe:
f3:6e:76:c2:4d:78:c3:c2:0b:a4:48:27:d3:eb:52:c3:46:14:
c1:26:03:28:a0:53:c7:db:59:c9:95:b8:d9:f0:d9:a8:19:4a:
a7:0f:81:ad:3c:e1:ec:f2:21:51:0d:bc:f9:f9:f6:b6:75:02:
9f:43:de:e6:2f:9b:77:d3:c3:72:6f:f6:18:d7:a3:43:91:d2:
04:2a:c8:bf:67:23:35:b7:41:3f:d1:63:fe:dc:53:a7:26:e9:
f4:ee:3b:96:d5:2a:9c:6d:05:3d:27:6e:57:2f:c9:dc:12:06:
2c:cf:0c:1b:09:62:5c:50:82:77:6b:5c:89:32:86:6b:26:30:
d2:6e:33:20:fc:a6:be:5a:f0:16:1a:9d:b7:e0:d5:d7:bb:d8:
35:57:d2:be:d5:07:98:b7:3c:18:38:f9:94:4c:26:3a:fe:f2:
ad:40:e6:95:ef:4b:a9:df:b0:06:87:a2:6c:f2:6a:03:85:3b:
97:a7:ef:e6:e5:d9:c3:57:87:09:06:ae:8a:5a:63:26:b9:35:
29:a5:87:4b:7b:08:b9:63:1c:c3:65:7e:97:ae:79:79:ed:c3:
a3:36:c3:87:1f:54:fe:0a:f1:1a:c1:71:3d:bc:9e:36:fc:da:
03:2b:61:b5:19:0c:d7:4d:19:37:61:45:91:4c:c9:7a:5b:00:
cd:c2:2d:36:f9:1f:c2:b1:97:2b:78:86:aa:75:0f:0a:7f:04:
85:81:c5:8b:be:af:a6:a7:7a:d2:17:26:7a:86:0d:f8:fe:c0:
27:a8:66:c7:92:cd:c5:34:99:c9:8e:c1:25:f3:98:df:4e:48:
37:4a:ee:76:4a:fa:e4:66:b4:1f:cd:d8:e0:25:fd:c7:0b:b3:
12:af:bb:b7:29:98:5e:86:f2:12:8e:20:c6:a9:40:6f:39:14:
8b:71:9f:98:22:a0:5b:57:d1:f1:88:7d:86:ad:19:04:7b:7d:
ee:f2:c9:87:f4:ca:06:07
-----BEGIN CERTIFICATE-----
MIIGBDCCA+ygAwIBAgIJAPg3/I1xmzBMMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIDAdNeVN0YXRlMRgwFgYDVQQKDA9NeSBDb21wYW55IElu
Yy4xGTAXBgNVBAMMEGNlcnQuZXhhbXBsZS5jb20xJDAiBgkqhkiG9w0BCQEWFWNl
cnRhZG1pbkBleGFtcGxlLmNvbTAeFw0xNDAyMTMxODQ4NTVaFw0xNTAyMTMxODQ4
NTVaMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTXlTdGF0ZTEPMA0GA1UEBwwG
TXlDaXR5MRgwFgYDVQQKDA9NeSBDb21wYW55IEluYy4xGDAWBgNVBAMMD3d3dy5l
eGFtcGxlLmNvbTElMCMGCSqGSIb3DQEJARYWaG9zdG1hc3RlckBleGFtcGxlLmNv
bTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANlazIfw5R5voCXN/jZk
bGiuLz5+k5OkaW/xKMHCTV88OmEuTvCQiVRI1gOD+6wefJrovs/Jj5NBJz4bZmPb
oVTL9x0LcbxfgOEw5CgUaBwJutCq0+YrJM0hZ5nci3oslNDtjgJfL1IGCQ6Kt79k
6Ne/lJStgDRXMolRAP79jH0XNUzHX1tY9JebIUKeqWyGX/Q1mKWBYp36FQedKSU4
K10idFj4WFYc6WWjYrWnZheVEiHKghKQtoqNH3noXPT5bDpE+To/KQ0uv1GYn1gh
5dnueFStWqJv0YWavLkhkuh2gLgPlneamV47Brtv2hxu8hAWaborV8gazLbkDB2y
pre5bDcugBNGoUbDytYrzfe6OJh0FX/xZwOOJImWVTHr2ERUpREEWeZzWULtqqM3
E6tjq+9hZQqvL3GRI0B9+Oihnc8/5TPZX9JNBtAscFljBg8qWa6uEo30bP2yM3bo
NA8fJJEqqKobEYoLhvNnuL63oAYCSnbv3e3EqQOhjLA5nTWYfwQcJIocfG81VnHu
tTa3PxQE60ihT2+OQ3yLNkq/uumL2TgMdiTpozi/Tob9MU3DbxYHCd3YawudTZfr
H5IhsqX52FVhhdKZl7wnEr7rVYbuH/Vvp8VkL07CZ6NSl3rZZokFalntaXsiECuh
FE5duPAh6RHQJa68BSvD263PAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4
QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQ6
7is6c6bDXDmQ6oU/2nEze5FNfzAfBgNVHSMEGDAWgBQU/BS89KU+awxYO987JjVG
oL7s8TANBgkqhkiG9w0BAQsFAAOCAgEAymayVWTmQKWFGRFmDWOJ+w06DOz9y1yT
RB4/G8r1PYWrCgvc8xgdH+yF//OCUp7HEhkH6WqCvTL20RmytwkcNNeJRX5RTULW
Tni2ObN2WPggV7PYe+CzL86folne9jHyCRyRO3+XYcsRpLRzq0dk6JMHmNVHdY2a
j6OP6PRCfrgb6DZyE5P5qMxttIWnr5T+8252wk14w8ILpEgn0+tSw0YUwSYDKKBT
x9tZyZW42fDZqBlKpw+BrTzh7PIhUQ28+fn2tnUCn0Pe5i+bd9PDcm/2GNejQ5HS
BCrIv2cjNbdBP9Fj/txTpybp9O47ltUqnG0FPSduVy/J3BIGLM8MGwliXFCCd2tc
iTKGayYw0m4zIPymvlrwFhqdt+DV17vYNVfSvtUHmLc8GDj5lEwmOv7yrUDmle9L
qd+wBoeibPJqA4U7l6fv5uXZw1eHCQauilpjJrk1KaWHS3sIuWMcw2V+l655ee3D
ozbDhx9U/grxGsFxPbyeNvzaAythtRkM100ZN2FFkUzJelsAzcItNvkfwrGXK3iG
qnUPCn8EhYHFi76vpqd60hcmeoYN+P7AJ6hmx5LNxTSZyY7BJfOY305IN0rudkr6
5Ga0H83Y4CX9xwuzEq+7tymYXobyEo4gxqlAbzkUi3GfmCKgW1fR8Yh9hq0ZBHt9
7vLJh/TKBgc=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem</pre>
</blockquote>
<p class="whiteline">The script automatically renamed the newly signed certificate. In the above example, the signed certificate is in www.example.com.2014.crt. Transfer this file back to the server it belongs on and you're all set to start using it.</p>
<p class="whiteline">That's it! You're now a certificate authority with the power to sign your own certificates. Don't let all that power go to your head!</p>
SSL "Security"http://blog.godshell.com/blog/archives/319-SSL-Security.html
<p class="whiteline"><a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Secure_Sockets_Layer']);" href="https://en.wikipedia.org/wiki/Secure_Sockets_Layer">SSL</a>, a cryptographically secure protocol, was created by <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Netscape']);" href="https://en.wikipedia.org/wiki/Netscape">Netscape</a> in the mid-1990's. Today, SSL, and it's replacement, <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Secure_Sockets_Layer']);" href="https://en.wikipedia.org/wiki/Secure_Sockets_Layer">TLS</a>, are used by web browsers and other programs to create secure connections between devices across the Internet.</p>
<p class="whiteline">SSL provides the means to cryptographically secure a tunnel between endpoints, but there is another aspect of security that is missing. <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Computational_trust']);" href="https://en.wikipedia.org/wiki/Computational_trust">Trust</a>. While a user may be confident that the data received from the other end of the SSL tunnel was sent by the remote system, the user can not be confident that the remote system is the system it claims to be. This problem was partially solved through the use of a <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Public_key_infrastructure']);" href="https://en.wikipedia.org/wiki/Public_key_infrastructure">Public Key Infrastructure, or PKI</a>.</p>
<p class="whiteline">PKI, in a nutshell, provides the trust structure needed to make SSL secure. Certificates are issued by a certificate authority or CA. The CA cryptographically signs the certificate, enabling anyone to verify that the certificate was issued by the CA. Other PKI constructs offer validation of the registrant, indexing of the public keys, and a key revocation system. It is within these other constructs that the problems begin.</p>
<p class="whiteline">When SSL certificates were first offered for sale, the CAs spent a great deal of time and energy verifying the identity of the registrant. Often, paper copies of the proof had to be sent to the CA before a certificate would be issued. The process could take several days. More recently, the bar for entry has been lowered significantly. Certificates are now issued on an automated process requiring only that the registrant click on a link sent to one of the email addresses listed in the <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Whois']);" href="https://en.wikipedia.org/wiki/Whois">Whois</a> information. This lack of thorough verification has significantly eroded the trust a user can place in the authenticity of a certificate.</p>
<p class="whiteline">CAs have responded to this problem by offering different levels of SSL certificates. Entry level certificates are verified automatically via the click of a link. Higher level SSL certificates have additional identity verification steps. And at the highest level, the <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Extended_Validation_Certificate']);" href="https://en.wikipedia.org/wiki/Extended_Validation_Certificate">Extended Validation</a>, or EV certificate requires a thorough verification of the registrants identity. Often, these different levels of SSL certificates are marketed as stronger levels of encryption. The reality, however, is that the level of encryption for each of these certificates is exactly the same. The only difference is the amount of verification performed by the CA.</p>
<p class="whiteline">Despite the extra level of verification, these certificates are almost indistinguishable from one another. With the exception of EV certificates, the only noticeable difference between differing levels of SSL certificates are the identity details obtained before the certificate is issued. An EV certificate, on the other hand, can only be obtained from certain vendors, and shows up in a web browser with a special green overlay. The intent here seems to be that websites with EV certificates can be trusted more because the identity of the organization running the website was more thoroughly validated.</p>
<p class="whiteline">In the end, though, trust is the ultimate issue. Users have been trained to just trust a website with an SSL certificate. And trust sites with EV certificates even more. In fact, there have been a number of marketing campaigns targeted at convincing users that the &quot;Green Address Bar&quot; means that the website is completely trustworthy. And they've been pretty effective. But, as with most marketing, they didn't quite tell the truth. sure, the EV certificate may mean that the site is more trustworthy, but it's still possible that the certificate is fake.</p>
<p class="whiteline">There have been a number of well known CAs that have been compromised in recent years. <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/DigiNotar']);" href="https://en.wikipedia.org/wiki/DigiNotar">Diginotar</a> and <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Comodo_Group']);" href="https://en.wikipedia.org/wiki/Comodo_Group">Comodo</a> being two of the more high profile ones. In both cases, it became possible for rogue certificates to be created for any website the attacker wanted to hijack. That certificate plus some creative DNS poisoning and the attacker suddenly looks like your bank, or google, or whatever site the attacker wants to be. And, they'll have a nice shiny green EV certificate.</p>
<p class="whiteline">So how do we fix this? Well, one way would be to use the certificate revocation system that already exists within the PKI infrastructure. If a certificate is stolen, or a false certificate is created, the CA has the ability to put the signature for that certificate into the revocation system. When a user tries to load a site with a bad certificate, a warning is displayed telling the user that the certificate is not to be trusted.</p>
<p class="whiteline">Checking revocation of a certificate <a onclick="_gaq.push(['_trackPageview', '/extlink/revocation-report.x509labs.com']);" href="https://revocation-report.x509labs.com">takes time</a>, and what happens if the revocation server is down? Should the browser let the user go to the site anyway? Or should it block by default? The more secure option is to block, of course, but most users won't understand what's going on. So most <a onclick="_gaq.push(['_trackPageview', '/extlink/blog.spiderlabs.com/2011/04/certificate-revocation-behavior-in-modern-browsers.html']);" href="http://blog.spiderlabs.com/2011/04/certificate-revocation-behavior-in-modern-browsers.html">browser manufacturers</a> have either disabled revocation checking completely, or they default to allowing a user to access the site when the revocation site is slow or unavailable.</p>
<p class="whiteline">Without the ability to verify if a certificate is valid or not, there can be no real trust in the security of the connection, and that's a problem. Perhaps one way to fix this problem is to disconnect the revocation process from the process of loading the webpage. If the revocation check happened in parallel to the page loading, it shouldn't interfere with the speed of the page load. Additional controls can be put into place to prevent any data from being sent to the remote site without a warning until the revocation check completes. In this manner, the revocation check can take a few seconds to complete without impeding the use of the site. And after the first page load, the revocation information is cached anyway, so subsequent page loads are unaffected.</p>
<p class="whiteline">Another option, <a onclick="_gaq.push(['_trackPageview', '/extlink/www.darkreading.com/authentication/solving-the-ssl-certificate-revocation-c/232601983']);" href="http://www.darkreading.com/authentication/solving-the-ssl-certificate-revocation-c/232601983">floated</a> by the browser builders themselves, is to have the browser vendors host the revocation information. This information is then passed on to the browsers when they're loaded. This way the revocation process can be handled outside of the CAs, handling situations such as those caused by a CA being compromised. Another idea would be to use short term certificates that expire quickly, dropping the need for revocation checks entirely.</p>
<p class="whiteline">It's unclear as to what direction the market will move with this issue. It has been over two years since the attacks on Diginotar and Comodo and the immediacy of this problem seems to have passed. At the moment, the only real fix for this is user education. But with the marketing departments for SSL vendors working to convince users of the security of SSL, this seems unlikely.</p>
BSides Delaware 2013http://blog.godshell.com/blog/archives/320-BSides-Delaware-2013.html
<p class="whiteline">The annual <a onclick="_gaq.push(['_trackPageview', '/extlink/www.securitybsides.com/w/page/28563447/BSidesDelaware']);" href="http://www.securitybsides.com/w/page/28563447/BSidesDelaware">BSides Delaware</a> conference took place this past weekend, November 8th and 9th. BSides Delaware is a free community driven security event that takes place at the <a onclick="_gaq.push(['_trackPageview', '/extlink/www.wilmu.edu/newcastle/']);" href="http://www.wilmu.edu/newcastle/">Wilmington University</a> New Castle campus. The community is quite open, welcoming seasoned professionals, newcomers, curious individuals, and even children. There were a number of families who attended, bringing their children with them to learn and have fun.</p><p class="whiteline">I was fortunate enough to be able to speak at last years BSides and was part of the staff for this years event. There were two tracks for talks, many of which were recorded and are <a onclick="_gaq.push(['_trackPageview', '/extlink/www.irongeek.com/i.php?page=videos/bsidesde2013/mainlist']);" href="http://www.irongeek.com/i.php?page=videos/bsidesde2013/mainlist">already online</a> thanks to Adrian Crenshaw, the <a onclick="_gaq.push(['_trackPageview', '/extlink/www.irongeek.com/']);" href="http://www.irongeek.com/">IronGeek</a>. Adrian has honed his video skills and was able to have every recording online by the closing ceremonies on Saturday evening.</p><p class="whiteline">In all there were more than 25 talks over the course of two days covering a wide variety of topics, logging, Bitcoins, forensics, and more. While most speakers were established security professionals, there were a few new speakers striving to make a name for themselves.</p><p class="whiteline">This year also included a <strong>FREE</strong> wireless essentials training class. The class was taught by a team of world-class instructors including Mike Kershaw (drag0rn), author of the immensely popular <a onclick="_gaq.push(['_trackPageview', '/extlink/kismetwireless.net/']);" href="https://kismetwireless.net/">Kismet</a> wireless tool, Russell Handorf from the FBI Cyber Squad, and Rick Farina, lead developer for <a onclick="_gaq.push(['_trackPageview', '/extlink/pentoo.ch/']);" href="http://pentoo.ch/">Pentoo</a>. The class covered everything from wireless basics to software-defined radio hacking. An absolutely amazing class.</p><p class="whiteline">In addition to the talks, BSides also features not one, but two lockpick villages. Both <a onclick="_gaq.push(['_trackPageview', '/extlink/digitaltrustllc.com/']);" href="http://digitaltrustllc.com/">Digital Trust</a> as well as <a onclick="_gaq.push(['_trackPageview', '/extlink/toool.us/']);" href="http://toool.us/">Toool</a> were present. The lockpick villages were a big hit with seasoned professionals as well as the very young. It's amazing to see how adept a young child can be with a lockpick.</p><p class="whiteline"><a onclick="_gaq.push(['_trackPageview', '/extlink/www.hackersforcharity.org/']);" href="http://www.hackersforcharity.org/">Hackers for Charity</a> was present as well with a table of goodies for sale. They also held a silent (and not so silent) auction where all proceeds went to the charity. Hackers for Charity raises money to help with a variety of projects they engage in across the world. From their website :</p><p class="whiteline"><blockquote>We employ volunteer hackers and technologists through our Volunteer Network and engage their skills in short projects designed to help charities that can not afford traditional technical resources. </p><p class="whiteline">...</p><p class="whiteline">We’ve personally witnessed how one person can have a profound impact on the world. By giving of their skills, time and talent our volunteers are profoundly impacting the world, one “hacker” at a time.</blockquote></p><p class="break">BSides 2013 was an amazing experience. This was my second year at the conference and it's amazing how it has grown. The dates for BSidesDE 2014 have already been announced, November 14th and 15th. Mark your calendars and make an effort to come join in the fun. It's worth it.</p>
Pebble Reviewhttp://blog.godshell.com/blog/archives/318-Pebble-Review.html
<p class="break">In April of 2012, a <a onclick="_gaq.push(['_trackPageview', '/extlink/www.kickstarter.com']);" target="_blank" href="http://www.kickstarter.com">Kickstarter</a> project was launched by a company aiming to create an electronic watch that served as a companion to your smartphone. A month later, the <a onclick="_gaq.push(['_trackPageview', '/extlink/www.kickstarter.com/projects/597507018/pebble-e-paper-watch-for-iphone-and-android']);" href="http://www.kickstarter.com/projects/597507018/pebble-e-paper-watch-for-iphone-and-android">project</a> exceeded it's funding goal by over 100%, closing at over $10 million in pledges. Happily, I was one of the over 68,000 people that pledged. I received my Pebble about a month ago or so and I've been wearing it ever since. <br /><br /><img width="220" border="0" align="left" hspace="5" height="220" src="uploads/pebble.jpg" alt="Pebble" title="pebble.jpg" style="float: left;" />The watch itself is fairly simple, a rectangular unit with an e-ink display, four buttons, and a rubberized plastic strap. The screen resolution is 144x168, plenty of pixels for some fairly impressive detail. The watch communicates with your mobile phone (Android or iPhone only) via a bluetooth connection. All software updates and app installation occurs over the bluetooth connection. There is a 3-axis accelerometer as well a a pretty standard vibrating motor for silent alerts.<br /><br />According to the official Pebble FAQ, battery life is 7+ days on a single charge, but this depends on your overall use of the device. The more alerts your receive, the more the backlight comes on, and the more apps you use on the device, the shorter your battery life.<br /><br />Pebble is still in the process of building the initial run of watches for backers. Black watches, being the majority of the orders, were built first. Other colors are coming online in more recent weeks. Pebble has a <a onclick="_gaq.push(['_trackPageview', '/extlink/ispebbleshipping.com']);" target="_blank" href="http://ispebbleshipping.com">website</a> where interested parties can track how many pebbles have been built and shipped.<br /><br />I've been pretty impressed with the watch thus far. Pebble has been fairly responsive to inquiries I've made, and they seem dedicated to making sure they have a top quality product. Of course, as is typical on the Internet, not everyone is happy. There seem to be a lot of complaints about communication, how long it's taking to get watches, and about the features themselves.<br /><br />It's hard to say whether these complaints have any merit, though. For starters, I can't imagine it's a simple task to design and build 68,000 watches in a short period of time. And to complicate matters further, it seems that many backers of Kickstarter projects don't understand the difference between being a backer and being a customer.<br /><br />When you back a Kickstarter project, you're pledging money to help start the project. As a &quot;reward&quot; for contributing, if the project is successful, you are entitled to whatever the project owners have designated for your level of contribution. The key part of this being, if the project is successful. Some projects take longer than others, and times often slip. That said, I've only been part of one Kickstarter that has failed, and even that one is being resurrected by other interested parties.<br /><br />But there are some legitimate complaints, some that can be addressed, and others that likely won't. For instance, I've noticed that with recent firmware releases, the battery life on my watch had dropped considerably. Based on communication with the developers, they are aware of this and are actively working to resolve it. I'm not sure what the problem is, exactly, but I'm confident they'll have it fixed in the next firmware update.<br /><br />The battery indicator is a source of frequent discussion. Right now, there's no indicator of battery life until the battery is running low. And that indicator doesn't show on the watchface, it only shows when you are in other menus. This, in my opinion, is a poor UI choice. I'd much rather see a battery indicator option available for the watchface itself.<br /><br />Menu layout was also a frequent source of frustration for users. In previous firmware releases, you had to actively go to the watchface you wanted. Recent releases changed this so that the watch was the default view and other screens were chosen as needed. The behavior of the navigation buttons on the watch were also updated to reflect this new choice.<br /><br />So Pebble continues to improve over time. It's an iterative process that will take some time to get right. I'm eager to see what future releases will bring. Next week, Pebble is scheduled to release the watch SDK, allowing users, for the first time, to start adding their own customizations to the watch.<br /><br />The Pebble watch has a lot of potential. As the platform matures, I'm hoping to see a number of features I'm interested in come to fruition. Interaction between Pebble and other apps on iPhone devices would be a welcome addition. I would love to see an <a onclick="_gaq.push(['_trackPageview', '/extlink/en.wikipedia.org/wiki/Actigraphy']);" href="https://en.wikipedia.org/wiki/Actigraphy" target="_blank">actigraphy</a> app that uses the Pebble for sleep monitoring. From what I've read, sleep monitoring is even more accurate when the monitor is placed on the sleeper's wrist. Seems like a perfect use for the Pebble.<br /><br />I'd also like to see more of an open SDK, allowing users such as myself to write code for the Pebble. While I'm aware of the closed nature of the iPhone platform itself, it is still possible to add applications to the Pebble itself. I can't wait to see what others build for this platform. Given a bit of time, I think this can grow into something even more amazing.<br /></p>
Customer Dis-Servicehttp://blog.godshell.com/blog/archives/317-Customer-Dis-Service.html
<p class="whiteline">In general, I'm a pretty loyal person. Especially when it comes to material things. I typically find a vendor I like and stick with them. Sure, if something new and flashy comes along, I'll take a look, but unless there's a compelling reason to change, I'll stick with what I have.</p><p class="whiteline">But sometimes a change is forced upon me. Take, for instance, this last week. I've been a loyal Verizon customer for … wow, about 15 years or so. Not sure I realized it had been that long. Regardless, I've been using Verizon's services for a long time. I've been relatively happy with them, no major complaints about services being down or getting the runaround on the phone. In fact, my major gripe with them had always been their online presence which seemed to change from month to month. I've had repeated problems with trying to pay bills, see my services, etc. But at the end of the day, I've always been able to pay the bill and move on. Since that's really the only thing I used their online service for, I was content to leave well enough alone.</p><p class="whiteline">In more recent months, we've been noticing that the 3M DSL service we had is starting to lack a bit. Not Verizon's fault at all, but the fault of an increased strain on the system at our house. Apparently 3M isn't nearly enough bandwidth to satisfy our online hunger. That, coupled with the price we were paying, had me looking around for other services. Verizon still doesn't offer anything faster than 3M in the area and, unfortunately, the only other service in the area is from a company that I'd rather not do business with if I could avoid it.</p><p class="whiteline">In the end, I thought perhaps I could make some slight changes and at least reduce the monthly bill by a little until we determined a viable solution. I was considering adding a second DSL line, connected to a second wireless router, to relieve the tension a bit. This would allow me to avoid that other company and provide the bandwidth we needed. My wife and I could enjoy our own private upstream and place the rest of the house on the other line.</p><p class="whiteline">Ok, I thought, let's dig into this a bit. First things first, I decided to get rid of the home phone, or at least transfer it to a cheaper solution. My cell provider offered a $10/month plan for home phones. Simple process, port he number over, install this little box in the house, and poof. Instant savings. Best part, that savings would be just about enough to get that second DSL line.</p><p class="whiteline">Being cautious, and not wanting to end up without a DSL connection, I contacted Verizon. Having worked for a telco in the past, I knew that some telcos required that you have a home phone line in order to have DSL service. This wasn't a universal truth, however, and it was easy enough to verify. The first call to Verizon went a little sideways, though. I ended up in an automated system. Sure, everyone uses these automated systems nowadays, but I thought this one was particularly condescending. They added additional sound effects to the prompts so that when you answered a question, the automated voice would acknowledge your request and then type it in. TYPE IT IN. I don't know why, but this drove me absolutely crazy. Knowing that I was talking to a recorded voice and then having that recorded voice playing sounds like they were typing on a keyboard? Infuriating. And, on top of it, I ended up in some ridiculous loop where I couldn't get an operator unless I explicitly stated why I wanted an operator, but the automated system apparently couldn't understand my request.</p><p class="whiteline">Ok, time out, walk away, try again later. The second time around, I lied. I ended up in sales, so it seems to have worked. I explained to the lady on the phone what I was looking for. I wanted to cancel my home phone and just keep the DSL. I also wanted to verify that I was not under contract so I wouldn't end up with some crazy early termination fee. She explained that this was perfectly acceptable and that I could make these changes whenever I wanted. I verified again that I could keep the DSL without issue. She agreed, no problem.</p><p class="whiteline">Excellent! Off I went to the cell carrier, purchased (free with a contract) the new home phone box, and had them port the number. The representative cautioned that he saw DSL service listed when he was porting and suggested I contact Verizon to verify that the DSL service would be ok.</p><p class="whiteline">I called Verizon again to verify everything would work as intended. I explained what I had done, asked when the port would go through, and stressed that the DSL service was staying. The representative verified the port date and said that the DSL service would be fine.</p><p class="whiteline">You can guess where this is going, can't you. On the day of the port, the phone line switched as expected. The new home phone worked perfectly and I made the necessary changes to the home wiring to ensure that the DSL connection was isolated away from the rest of the wiring. DSl was still up, phone ported, everything was great. Until the next morning.</p><p class="whiteline">I woke up the following morning and started my normal routine. Get dressed, go exercise, etc. Except that on the way to exercise, I noticed that the router light was blinking. Odd, I wonder what was going on. Perhaps something knocked the system online overnight? The DSL light on the modem was still on, so I had a connection to the DSLAM. No problem, reboot the router and we'll be fine. So, I rebooted and walked away. After a few minutes I checked the system and noticed that I was still not able to get online. I walked through a mental checklist and decided that the username and password for the PPPoE connection must be failing. Time to call Verizon and see what's wrong.</p><p class="whiteline">I contacted Verizon and first spoke to a sales rep who informed me that my services had been cancelled per my request. Wonderful. Al that work and they screw it up anyway. I explained what I had done and she took a deeper look into the account. Turns out the account was "being migrated" and she apologized for the mixup. Since I was no longer bundled, the DSL account had to be migrated. I talked with her some more about it and she decided to send me to technical support to verify everything was ok. Off I go to technical support, fully expecting them to ask be to reset my DSL modem. No such luck, however, the technical support rep explained that I had no DSL service.</p><p class="whiteline">And back to sales I went. I explained, AGAIN, what was going on. The representative confirmed my story, verified that the account was being migrated, and asked me to check the service again in a few hours. All told, I spent roughly an hour on the phone with Verizon and missed out on my morning exercise.</p><p class="whiteline">After rushing through the remainder of my morning routine and explaining to my wife why the Internet wasn't working, I left for work. My wife checked in a few hours later to let me know that, no, we still did not have an Internet connection. So I called Verizon again. Again I'm told I have no service and that I have cancelled them. Again I explain the problem and what I had done. And this time, the representative explains to me that they do not offer unbundled DSL service anymore, they haven't had that service in about a year. She goes on to offer me a bundled package with a phone line and explains that I don't have to use the phone line, I just have to pay for it.</p><p class="whiteline">So all of the careful planning I had done was for naught. In an effort to make sure this didn't happen to anyone else, the rep checked back on my account to see who had informed me about the DSL service. According to the notes, however, I had never called about such a thing. I called to complain about unsolicited phone calls and they referred me to their fraud and abuse office and explains about the magical phone code I could put in to block calls. Ugh! She then went on to detail every aspect of my problem, again so someone else didn't have this problem.</p><p class="break">This is the sort of situation that will, very rapidly, cause me to look elsewhere for service. And that's exactly what I did. I've since cut all ties with Verizon and moved on to a different Internet service provider. I'm not happy with having to deal with this provider, but it's the only alternative at the moment. Assuming I don't have any major problems with the service, I'll probably continue with them for a while. Of course, if I run into problems here, the decision becomes more difficult. A "lesser of two evils" situation, if you will. But for now, I'll deal with what comes up.</p>
Programming Notehttp://blog.godshell.com/blog/archives/316-Programming-Note.html
<p class="break">In 2012 I posted a little over a dozen entries to this blog. I like to think that each entry was well thought out and time well spent. But only a dozen? That's about one entry a month... I'd really like to do more.<br /><br />So, new year, time to make some changes.. I spent a lot of time judging whether each post was "worth the effort" and "long enough to matter." I need to get past that. My goal is to start posting a number of smaller entries. I definitely want the quality to be there, but I want to avoid agonizing over each and every entry.<br /><br />So here's to a new year and more content!<br /></p>
Derbycon 2012http://blog.godshell.com/blog/archives/315-Derbycon-2012.html
<p class="break">I spent this past weekend in Louisville, KY attending a relatively new security conference called <a onclick="_gaq.push(['_trackPageview', '/extlink/www.derbycon.com']);" href="http://www.derbycon.com">Derbycon</a>. This year was the second year they held the conference and the first year I spoke there. It was amazing, to say the least.<br /><br />I haven't been to many conventions, and this is the only security-oriented convention I've attended. When I first attended last year, it was with come trepidation. I knew that some of the attendees I'd be seeing were truly rockstars in the security world. And, unfortunately, one of the people who was supposed to come with us was unable to attend. Of course, that person was the one person in our group who was connected within the security world and we were depending on them to introduce us to everyone.<br /><br />It went well, nonetheless, and we were able to meet a lot of amazing people while we were there. Going back this year, we were able to rekindle friendships that started last year, and even make a few new ones. Derbycon has an absolutely amazing sense of family. Even the true rockstars of the con are down to earth enough to hang out with the newcomers.<br /><br />And this year, I had the opportunity to speak. I submitted my CFP earlier in the year, not really expecting it to be chosen. Much to my surprise, though, it was. And so I spent some time putting together my talk and prepared to stand in front of the very people I looked up to. It was nerve-wracking to say the least. You can watch the video over on the <a onclick="_gaq.push(['_trackPageview', '/extlink/www.irongeek.com/i.php?page=videos/derbycon2/3-3-5-jason-frisvold-taming-skynet-using-the-cloud-to-automate-baseline-scanning']);" href="http://www.irongeek.com/i.php?page=videos/derbycon2/3-3-5-jason-frisvold-taming-skynet-using-the-cloud-to-automate-baseline-scanning">Irongeek site</a>, and you can find the slides in my <a onclick="_gaq.push(['_trackPageview', '/extlink/www.godshell.com/presentations']);" href="http://www.godshell.com/presentations">presentation archive</a>.<br /><br />But I powered through it. I delivered my talk and while it may not have been the most amazing talk, it was an accomplishment. I think it's given me a bit more confidence in my own abilities and I'm looking forward to giving another. In fact, I've since submitted a talk to <a onclick="_gaq.push(['_trackPageview', '/extlink/bit.ly/BSidesDE']);" href="http://bit.ly/BSidesDE">BSides Deleware</a> at the behest of the organizers. I haven't heard back yet, but here's hoping.<br /><br />I'm already making plans to attend Derbycon 2013 and I hope to be a permanent fixture there for many years to come. Derbycon is an amazing place to go and something truly magnificent to experience. I may not be in the security industry, but they made me feel truly welcome despite my often dumb questions and inane comments. <a onclick="_gaq.push(['_trackPageview', '/extlink/twitter.com/dave_rel1k']);" href="http://twitter.com/dave_rel1k">Rel1k</a>, <a onclick="_gaq.push(['_trackPageview', '/extlink/twitter.com/irongeek_adc']);" href="http://twitter.com/irongeek_adc">IronGeek</a>, and <a onclick="_gaq.push(['_trackPageview', '/extlink/twitter.com/purehate_']);" href="http://twitter.com/purehate_">Purehate</a> have put together something special and I was proud to be a part of it again.<br /></p>